Advanced Plus Security Windows Security updated setup

[Windows_Security]

Low Spec Pentium Dual Core with first gen SSD and HDD, chrome starts cold in less than a second repeat launches under half a second. Got a decent internet speed (150down-15up on wireless 100down-15up).

 

[frogboy]

It is not a setup I would use or feel comfortable with but I know you know what you are doing so I will say nothing to add.

Thanks for sharing your config with us.

 

[SHvFl]

Password Manager: memory

You must have a way better memory than me. I am lucky that i remember my main password.

 

[jerzy601]

This is not a dream configuration.

 

[Glashouse]

Thanks for sharing!

If I would go for such a light setup I would have a rock solid backup in place.
As I don't know how your sync software handles this, I am afraid you won't have versioning in place if something really bad happens...

 

[Windows_Security]

@frogboy: True, but it is the result of hardening windows since 2010 using Group Policy and Office trust centre, topped with lots of icacls, service and registry tweaks.

@Glashouse: True, I do ad hoc quick backups to second harddrive (requires elevation to write) during the day. Automated nightly backups to NAS when router disconnects PC's from the Internet. During the day the NAS is protected (read only, only backup operator users are allowed to write to NAS). EDIT: added NAS backup to setup.

 

[Glashouse]

@Windows_Security nothing to complain about Sounds good, doesn't this have an impact in your day to day work? Lots of restrictions....

 

[Windows_Security]

@Windows_Security nothing to complain about Sounds good, doesn't this have an impact in your day to day work? Lots of restrictions....

Well no functionality limitations in how I use my PC's in regard to AppLocker: Windows Update and Office updates are allowed from user folders. The unsigned software I use is Chromium and AppTimer only (both run fine as Medium IL), so UAC ValidateAdminCodeSignatures works perfect (ask Umbra about his experience on this tweak) and acts as an additional LUA-sandbox for Chromium. Most installers use Temp folder, so ACL deny execute for Everyone on vulnarable folders does not affect those Windows and Office updates either.

@jerzy601 : How likely (do you think) is the chance of running into malware which uses a valid Microsoft signature? Same question for exploits breaking out of protected process cage (as example all exploits of HPMA test tool fail).

When someone would have that skills why target those skills at such a rare indivisual setup: there are much bigger fish in the sea (e.g. money to be earned at PWN2OWN), same applies to general malware found in exploit kits (why develop a kit for such a small target market, when targetting Bitdefender or Avast the potential "customer" base is 400 to 500 million users larger)?

 

[JM Safe]

Interesting config, I would add ZAM Free, HTTPS Everywhere.

Thanks for sharing.

 

[Windows_Security]

@JM Security - tried ZAM Free again. I did not know the automatic start could be disabled. ZAM looks like a cross-over of HMP and MBAM. Have added it to my setup (it looks like HMP but uses more engines, it looks at regsitry like MBAM for non default values and like MBAM flags safer/hardened values as errors) What are the opinions on ZAM? Copycat of HMP and MBAM or a cross-over offering the best of both worlds?

 

[Exterminator]

Not a config for the novice user.
Thanks for sharing it with us

 

[Windows_Security]

With the improvements of Windows 10 and improvements to come it will become seamless and easy to use for novice users.

I am afraid AV-vendors will be getting a hard time and security will shift from 3rd party to OS build-in.

Have a look @Umbra settings and you will get the picture

 

[enaph]

I would like to have enough time and knowledge to implement such setup on my PC...
Very nice config.

 

[BugCode]

Interesting, indeed. Thanks W_S for sharing your conf!

 

[Windows_Security]

@Evjl's Rain : You made me doubt about adding KasperskyAR Tool for Business (free) to the mix because of the nice video's you post

EDIT: testing program launches delay with AppTimer hardly shows impact on unsigned process like Chrome (chromium), so I am adding it

C:\Program Files\Chromium\chrome.exe - 5 executions AppLocker + MemProtect
0.5624
0.2340
0.2806
0.3430
0.2806

C:\Program Files\Chromium\chrome.exe - 5 executions AppLocker + MemProtect + KasperskyAR
0.6082
0.3431
0.3120
0.3431
0.3587

 

[RoboMan]

Nice setup. I definitly wouldn't like to handle so many restrictions. Just give me Emsisoft and VoodooShield and let me play League of Legends

 

[Deleted member 178]

@Windows_Security Great Config, on Win7 (and even Win10) you can't do much better.

Appguard is my stronger alternative to Applocker since i have only Win10.home. and it also give me some memory protection like MemProtect does.

I am afraid AV-vendors will be getting a hard time and security will shift from 3rd party to OS build-in.

Exactly my thought, in next build of Win10 with the implementation of EMET , i wonder if i will keep HMPA... i have to see how EMET will be tweakable.
Lot of built-in stuff now in Windows, did you see the "folder protection" feature ? will make SecureFolders less needed...

 

[Windows_Security]

@Windows_Security Great Config, on Win7 (and even Win10) you can't do much better.

Appguard is my stronger alternative to Applocker since i have only Win10.home. and it also give me some memory protection like MemProtect does.


Exactly my thought, in next build of Win10 with the implementation of EMET , i wonder if i will keep HMPA... i have to see how EMET will be tweakable.
Lot of built-in stuff now in Windows, did you see the "folder protection" feature ? will make SecureFolders less needed...

Yep security wise there is no better Windows OS as Windows 10 and it is becoming better and better. When my wife had not asked me to put Win7 back on her laptop,because she is using windows 7 at her work, I would not have downgraded myself neither, because I really like Wndows 10 (but I like to have the same setup on all PC's). I will update her Windows 7 Ultimate setup next month (will wait a Windows Update to smooth out any upgrade issues).

 

[Sunshine-boy]

let me play League of Legends

come play with me.
Already diamond 3 EUNE haha but now dv(main sup)

 

[simmerskool]

I've been looking at memprotect for months, but haven't taken the leap yet. excubits website says >>MemProtect can be installed within a few seconds. In addition, our solution works fully transparent in the background, there is no interaction required.<< but it doesn't really "work" right out of the box, right? You have to tweak it's settings as you show above and probably more involved than that. I both do (& do not) want to take the time to learn it deeply, yet I know if I did, I'd be more informed and better protected. maybe this weekend... ...